New Scientist Live

Android apps share data between them without your permission

Your apps are conspiring against you. An analysis of more than 100,000 Android apps has found that they sometimes collude with each other to obtain information without permission.

“Apps that don’t have a good reason to ask for extra permissions sometimes don’t bother. Instead, they manage to get information through other apps,” says Gang Wang at Virginia Tech.

Android apps are screened for viruses and other security issues before being listed in the Google Play store, but only individually. Once downloaded, apps can communicate with each other without notifying the user. But the team found that some apps exploit this feature to gain access to data they shouldn’t be able to.

Advertisement

“We’ve suspected that collusion happens between apps for a while, but it’s hard to catch. So we analysed a huge number of pairs of apps,” says Daphne Yao at Virginia Tech. Out of the 100,206 most popular apps on the Google Play store, the researchers found 23,495 colluding pairs.

Chatty apps

However, all of these pairs contained one of just 54 apps that instigated the collusion. Those that were most likely to be up to mischief often seemed the most innocuous, such as apps that give you extra emojis, personalise your ring tone, or modify your phone’s background. The researchers will present their work at the Asia Conference on Computer and Communications Security in April.

“The bad news is that we found that apps can pass information around recklessly. The good news is that the amount of collusion is still quite low,” says Yao. In many cases, it wasn’t clear whether an app was designed to collude with others for malicious purposes, or if it was just a mistake.

But as the vulnerability becomes more well-known, developers of malicious apps could exploit it more often. It could allow malware to gain access to a person’s camera or obtain sensitive data without their permission, for example.

Identifying colluding apps is “an important step forward in the malware arms-race”, says Vasilios Mavroudis at University College London. App stores like Google Play should start using a similar screening process, he says.